SLOTH Attacks and the Risks Involved

Researchers Karthikeyan Bhargavan and Gaetan Leurent have found that the use of weak hash functions in various cryptographic constructions within mainstream protocols has been justified by practitioners under the notion that their use of these protocols relies only on second preimage resistance; therefore, they are unaffected by collision attacks. These weak hash functions center on the MD5 and SHA-1 implementations in TLS 1.1, 1.2, and 1.3, along with IKEv1, and SSH 2. But Bhargavan and Leurnet have found a number of weak-hash-based attack techniques against MD5 and SHA-1 algorithms that are already either practical, or dangerously close to it. They are called SLOTH attacks.

SLOTH stands for Security Losses from Obsolete and Truncated Transcript Hashes. In short, the attacks represent “a not-so subtle reference to laziness in the protocol design community with regard to removing legacy cryptographic constructions.” While the technicalities of their SLOTH papers can seem overwhelming, Bhargavan and Leurent stress the importance of moving away from these cryptographic algorithms and on to stronger ones for better enterprise security.

SLOTH Papers

SLOTH attacks are not particularly easy. Which means for now, the usability of these techniques remain in the hands of attackers who have both the time and money to try to exploit weaknesses in hash algorithms. However, hash protocol is growing increasingly more advanced as older cryptographic algorithms are simultaneously becoming more outdated, making weak hash functions more susceptible to attack.

Bhargavan and Leurent’s SLOTH papers describe a number of attacks that exemplify the risks of using obsolete hash algorithms in mainstream protocols. One transcript collision attack against TLS server signatures using MD5 cut the effective security in half from 128 bits to 64 bits. Additionally, the security loss for other attacks against TLS authentication were even worse. TLS authentication depends on a reliable hash, and as seen by the examples in the SLOTH papers, if a hash algorithm has poor collision resistance, then its function is flawed and therefore weak in the event of a collision attack.

As a result, Bhargavan and Leurent conclude that continued use of weak hash algorithms in mainstream cryptographic protocols “significantly reduces security and, in some cases, leads to practical attacks on key protocol mechanisms . . . The complexity of our transcript collision attacks are significantly lower than the estimated work for a second preimage attack on the underlying hash function—[settling any] debate on whether the security of mainstream cryptographic protocols depend on collision resistance. Except in rare cases, mainstream protocols do require collision resistance for protection against man-in-the-middle transcript collision attacks.”

They further recommend that weak hash functions like MD5 and SHA-1 “should not just be deprecated; they should be forcefully disabled in existing protocols.”

The Takeaway

The SLOTH techniques used in research attacks against both algorithms in TLS client and server authentication open doors to impersonation attacks and credential forwarding if the attack targets TLS channel binding. Overall, the continued use of MD5 hash algorithms should be discontinued immediately while SHA-1 users should adhere to the Bhargavan and Leurent’s advice to prepare for the deprecation of SHA-1 algorithms by the end of this year. Older hash mechanisms significantly diminish encryption, put doubt in authentication, and dishonor integrity—ultimately weakening enterprise security.

For more information, Bhargavan and Leurent maintain a SLOTH website where users may gain knowledge on known attacks, potential targets, and if protocols and implementations have been fixed.